AirProbe: OTA

Over-the-Air (OTA) attack

OTA (Over-The-Air) is a technology used to communicate with, download
applications to, and manage a SIM card without being connected
physically to the card. With OTA, Network Operator can introduce new SIM
services and modify the contents of SIM cards without having to reissue
it. With OTA, SIM card can be remotely managed and STK (SIM Toolkit)
applications downloaded dynamically. Mobile Operator could be using the
OTA mechanism to send binary java applets via SMS (several kilo bytes)
to the SIM. These applets could be installed secretly without the user
knowing (actually this depends on the handset). The java applets has
access to GSM functionality and the Mobile Phone itself. The details of
the interface are defined in GSM 11.11 and 11.14.

Please, do not confuse OTA with over-the-air bitmap, a data format developed by Nokia for sending images via SMS.

The operator sends service requests to an OTA Gateway which transforms
the requests into SMS and sends it onto a Short Message Service Centre
(SMSC). This special SMS is then transmitted to SIM card.

An OTA Gateway to process the requests in an understandable
format to the SIM card. OTA Gateway has to be phase 2+ in the GSM
standard.

An SMSC to send requests through the GSM network. Message sent
to the SMSC needs to be formatted using the right set of parameters as
described in GSM 03.48.

A bearer to transport the request (SMS message)

Mobile equipment to receive the request and transmit it to the SIM card. Mobile Phone has to be Sim Tool Kit compliant.

A SIM card to receive and execute the request

OTA software delivery
can be initiated upon action, such as a call to the provider's customer
support system, or can be performed automatically. Verizon Wireless in
the U.S. provides a number of OTA functions (updates for phone
configuration and updates of the Preferred Roaming List) to its
subscribers via the *228 service code. OTA by SMS is not limited to
cellular network operators. OTA messages may also be generated by third parties
and sent directly to the handset. For example, UK VoIP operator aql
uses an OTA configuration message to automatically configure the SIP
VoIP client on Nokia's E-Series handsets when users sign up for their
mobile VoIP service.

OTA via special SMS

An OTA SMS can be several kilobytes in size using the SMS concatenation
protocol. The OTA SMS is first received by the Mobile Equipment and then
forwarded (depending on the handset - silently or not) to the SIM. The
SIM then checks the security of the SMS (if requested) and processes the
SMS.

The SMS that most people know are send to the Mobile Equipment (ME) and
appear in the inbox of the phone. Another kind of SMS can be send to the
SIM directly. Only the Mobile Operator should be able to send an SMS to
the SIM (PID 0x7F, Network -> SIM). In practice is it possible on
many networks to send a SMS from any mobile phone via the network to the
SIM in another mobile phone (SIM -> SIM) without this SMS beeing
firewalled by the network. In networks where such SMS are correctly
firewalled a SMS directly to the SIM can be send via direct access to an
SMSC. There are many SMSC providers on the internet that offer raw
access to the SMSC gateway via which SMS to the SIM can be send, but
most of SMSC servers are not configured to forward correct APDU (Application Protocol Data Units) packets.

Call Control (GSM 11.14 4.5): Any outgoing call
request is first passed to sim. Sim can modify this call request. This
can be used to listen to mobile subscribers: Any time a call is made
initiate a conference call to original number and your own mobile.

Article on SIM Attack Scenario
- company Riscure demonstrated how an attacker can remotely control and
terminate SIM cards of subscribers by sending a specific data-download
SMS to the card. Once terminated, the SIM card is useless and the
customer is forced to visit the nearest GSM shop to have his or her SIM
swapped.

PDUSpy,
a software to create custom SMS / PDU messages. There are two ways of
sending and receiving SMS messages: by text mode and by PDU (Protocol
Sescription Unit) mode. The PDU string contains not only the message,
but also a lot of meta-information about the sender, his SMS service
center, the time stamp etc. Mobile phone can communicate with PDUspy if
it has support for AT+CMEE, AT+CMGF=0, AT+CPMS and AT+CMGL commands.

HushSMS
Windows Mobile 5 and 6 based PocketPC software for sending silent SMS
messages to the mobile phone. The message is discarded on the target
phone and no trace exists, however, you will get back a message from the
operator that your message has been delivered, proving that your
message has been received, and thus you can know that the owners phone
is switched on.